Advertisement

CCA-Secure (Puncturable) KEMs from Encryption with Non-Negligible Decryption Errors

  • Valerio CiniEmail author
  • Sebastian Ramacher
  • Daniel Slamanig
  • Christoph Striecks
Conference paper
First Online:
  • 252 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12491)

Abstract

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs) are fundamental cryptographic building blocks to realize secure communication protocols. There are several known transformations that generically turn weakly secure schemes into strongly (i.e., IND-CCA) secure ones. While most of these transformations require the weakly secure scheme to provide perfect correctness, Hofheinz, Hövelmanns, and Kiltz (HHK) (TCC 2017) have recently shown that variants of the Fujisaki-Okamoto (FO) transform can work with schemes that have negligible correctness error in the (quantum) random oracle model (QROM). Many recent schemes in the NIST post-quantum competition (PQC) use variants of these transformations. Some of their CPA-secure versions even have a non-negligible correctness error and so the techniques of HHK cannot be applied.

In this work, we study the setting of generically transforming PKE schemes with potentially large, i.e., non-negligible, correctness error to ones having negligible correctness error. While there have been previous treatments in an asymptotic setting by Dwork et al. (EUROCRYPT 2004), our goal is to come up with practically efficient compilers in a concrete setting and apply them in two different contexts: firstly, we show how to generically transform weakly secure deterministic or randomized PKEs into CCA-secure KEMs in the (Q)ROM using variants of HHK. This applies to essentially all candidates to the NIST PQC based on lattices and codes with non-negligible error, for which we provide an extensive analysis. We thereby show that it improves some of the code-based candidates. Secondly, we study puncturable KEMs in terms of the Bloom Filter KEM (BFKEM) proposed by Derler et al. (EUROCRYPT 2018) which inherently have a non-negligible correctness error. BFKEMs are a building block to construct fully forward-secret zero round-trip time (0-RTT) key-exchange protocols. In particular, we show how to achieve the first post-quantum secure BFKEM generically from lattices and codes by applying our techniques to identity-based encryption (IBE) schemes with (non-)negligible correctness error.

Keywords

CPA-to-CCA transformations Fujisaki-Okamoto transform Non-negligible correctness error Puncturable encryption 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

We would like to thank the anonymous reviewers for their helpful comments. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement n\(^{\circ }\)783119 (SECREDAS), n\(^{\circ }\)826610 (COMP4DRONES), n\(^{\circ }\)871473 (KRAKEN) and by the Austrian Science Fund (FWF) and netidee SCIENCE grant P31621-N38 (PROFET).

References

  1. 1.
    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_28CrossRefzbMATHGoogle Scholar
  2. 2.
    Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-26951-7_10CrossRefGoogle Scholar
  3. 3.
    Aragon, N., et al.: BIKE. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  4. 4.
    Aragon, N., et al.: ROLLO. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  5. 5.
    Aviram, N., et al.: DROWN: Breaking TLS using SSLv2. In: USENIX Security (2016)Google Scholar
  6. 6.
    Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAcrypt. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  7. 7.
    Bauer, A., Gilbert, H., Renault, G., Rossi, M.: Assessment of the key-reuse resilience of NewHope. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 272–292. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-12612-4_14CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-45539-6_18CrossRefzbMATHGoogle Scholar
  9. 9.
    Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-36033-7_3CrossRefzbMATHGoogle Scholar
  10. 10.
    Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-44223-1_12CrossRefGoogle Scholar
  11. 11.
    Bitansky, N., Vaikuntanathan, V.: A note on perfect correctness by derandomization. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 592–606. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_20CrossRefGoogle Scholar
  12. 12.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055716CrossRefGoogle Scholar
  13. 13.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)CrossRefGoogle Scholar
  14. 14.
    Böck, H., Somorovsky, J., Young, C.: Return of bleichenbacher’s oracle threat (ROBOT). In: USENIX Security 2018 (2018)Google Scholar
  15. 15.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_3CrossRefzbMATHGoogle Scholar
  16. 16.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_13CrossRefGoogle Scholar
  17. 17.
    Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: ACM CCS (2016)Google Scholar
  18. 18.
    Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_13CrossRefGoogle Scholar
  19. 19.
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_27CrossRefGoogle Scholar
  20. 20.
    Derler, D., Gellert, K., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. IACR Cryptol. ePrint Arch. (To appear in Journal of Cryptology)Google Scholar
  21. 21.
    Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_14CrossRefGoogle Scholar
  22. 22.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM CCS (2015)Google Scholar
  23. 23.
    Drucker, N., Gueron, S., Kostic, D., Persichetti, E.: On the applicability of the Fujisaki-Okamoto transformation to the BIKE KEM. IACR ePrint 2020/510 (2020)Google Scholar
  24. 24.
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_2CrossRefGoogle Scholar
  25. 25.
    Dwork, C., Naor, M., Reingold, O.: Immunizing encryption schemes from decryption errors. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 342–360. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_21CrossRefGoogle Scholar
  26. 26.
    Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 51–68. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_4CrossRefGoogle Scholar
  27. 27.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34CrossRefGoogle Scholar
  28. 28.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013).  https://doi.org/10.1007/s00145-011-9114-1MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Gaborit, P., Hauteville, A., Phan, D.H., Tillich, J.-P.: Identity-based encryption from codes with rank metric. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 194–224. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_7CrossRefGoogle Scholar
  30. 30.
    Garcia-Morchon, O., et al.: Round5. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  31. 31.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC (2008)Google Scholar
  32. 32.
    Goldreich, O., Goldwasser, S., Halevi, S.: Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 105–111. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052230CrossRefzbMATHGoogle Scholar
  33. 33.
    Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  34. 34.
    Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_18CrossRefGoogle Scholar
  35. 35.
    Guo, Q., Johansson, T., Nilsson, A.: A key-recovery timing attack on post-quantum primitives using the fujisaki-okamoto transformation and its application on FrodoKEM. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 359–386. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-56880-1_13CrossRefGoogle Scholar
  36. 36.
    Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_29CrossRefGoogle Scholar
  37. 37.
    Guo, Q., Johansson, T., Yang, J.: A novel CCA attack using decryption errors against LAC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 82–111. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-34578-5_4CrossRefGoogle Scholar
  38. 38.
    Hamburg, M.: Three bears. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  39. 39.
    Harris, B.: RSA key exchange for the secure shell (SSH) transport layer protocol. RFC (2006)Google Scholar
  40. 40.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12CrossRefzbMATHGoogle Scholar
  41. 41.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. Cryptology ePrint Archive, Report 2017/604Google Scholar
  42. 42.
    Hohenberger, S., Koppula, V., Waters, B.: Chosen ciphertext security from injective trapdoor functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 836–866. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-56784-2_28CrossRefGoogle Scholar
  43. 43.
    Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-45388-6_14CrossRefGoogle Scholar
  44. 44.
    Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_14CrossRefGoogle Scholar
  45. 45.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_17CrossRefzbMATHGoogle Scholar
  46. 46.
    Jager, T., Schinzel, S., Somorovsky, J.: Bleichenbacher’s attack strikes again: breaking PKCS#1 v1.5 in XML encryption. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 752–769. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33167-1_43CrossRefGoogle Scholar
  47. 47.
    Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: IND-CCA-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 96–125. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96878-0_4CrossRefGoogle Scholar
  48. 48.
    Jiang, H., Zhang, Z., Ma, Z.: Tighter security proofs for generic key encapsulation mechanism in the quantum random oracle model. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 227–248. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-25510-7_13CrossRefGoogle Scholar
  49. 49.
    Koppula, V., Waters, B.: Realizing chosen ciphertext security generically in attribute-based encryption and predicate encryption. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 671–700. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-26951-7_23CrossRefzbMATHGoogle Scholar
  50. 50.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_24CrossRefGoogle Scholar
  51. 51.
    Kuchta, V., Sakzad, A., Stehlé, D., Steinfeld, R., Sun, S.-F.: Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 703–728. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-45727-3_24CrossRefGoogle Scholar
  52. 52.
    Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  53. 53.
    Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, New York (1990).  https://doi.org/10.1007/0-387-34805-0_13CrossRefGoogle Scholar
  54. 54.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: 22nd ACM STOC (1990)Google Scholar
  55. 55.
    Nisan, N., Wigderson, A.: Hardness vs randomness. J. Comput. Syst. Sci 49, 149–167 (1994)MathSciNetCrossRefGoogle Scholar
  56. 56.
    Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-44223-1_5CrossRefGoogle Scholar
  57. 57.
    Ronen, E., Gillham, R., Genkin, D., Shamir, A., Wong, D., Yarom, Y.: The 9 lives of bleichenbacher’s CAT: new cache ATtacks on TLS implementations. In: 2019 IEEE Symposium on Security and Privacy (2019)Google Scholar
  58. 58.
    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_17CrossRefzbMATHGoogle Scholar
  59. 59.
    Samardjiska, S., Santini, P., Persichetti, E., Banegas, G.: A reaction attack against cryptosystems based on LRPC codes. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 197–216. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-30530-7_10CrossRefGoogle Scholar
  60. 60.
    Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2019)Google Scholar
  61. 61.
    Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. Cryptology ePrint Archive, Report 2020/534Google Scholar
  62. 62.
    Sendrier, N., Vasseur, V.: On the decoding failure rate of QC-MDPC bit-flipping decoders. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 404–416. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-25510-7_22CrossRefGoogle Scholar
  63. 63.
    Sun, S.-F., Sakzad, A., Steinfeld, R., Liu, J.K., Gu, D.: Public-key puncturable encryption: modular and compact constructions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 309–338. Springer, Cham (2020).  https://doi.org/10.1007/978-3-030-45374-9_11CrossRefGoogle Scholar
  64. 64.
    Zhang, J., Chen, Yu., Zhang, Z.: Programmable hash functions from lattices: short signatures and IBEs with small key sizes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 303–332. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53015-3_11CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2020

Authors and Affiliations

  • Valerio Cini
    • 1
    Email author
  • Sebastian Ramacher
    • 1
  • Daniel Slamanig
    • 1
  • Christoph Striecks
    • 1
  1. 1.AIT Austrian Institute of TechnologyViennaAustria

Personalised recommendations

Cite paper

Buy options